masslogger | 8c4ab34b4aa53718967d637c28aab7064f71b6cecba58bdf1e589f98d14ee9a3

General

Target

Standard Terms and Conditions for purchases.exe
Size

940KB
MD5

3523948b0182768af480742150a7bc76
SHA1

3ee7ab152ac2e949ea48c6a6e5aadac2015219fd
SHA256

98f14edea3c84946787d020e97f6b161cae2ed419e458434413626b9893c6f62
SHA512

820ea8bd7ef17b0bc45d0390a8e832fc42d97f1743afa9296c3417d90a7fced1409bd34daacc4fdde18a95d744c2eeb582fcab0287eb1d0d98613c15e066bac4

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:51:51 PM MassLogger Started: 5/21/2022 2:51:46 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Standard Terms and Conditions for purchases.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Extracted

Credentials

Protocol: smtp
Host:
mail.mkontakt.az
Port:
587
Username:
testing@mkontakt.az
Password:
Onyeoba111

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4248-135-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-138-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-140-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-142-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-144-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-146-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-148-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-150-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-152-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-154-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-158-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-156-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-160-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-162-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-164-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-166-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-168-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-170-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-172-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-174-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-176-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-178-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-180-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-182-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-184-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-190-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-188-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-192-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-194-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-196-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-198-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4248-186-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Standard Terms and Conditions for purchases.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Standard Terms and Conditions for purchases.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

Processes:

Standard Terms and Conditions for purchases.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Standard Terms and Conditions for purchases.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Standard Terms and Conditions for purchases.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Standard Terms and Conditions for purchases.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Standard Terms and Conditions for purchases.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.ipify.org

flow	ioc
19	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Standard Terms and Conditions for purchases.exe

description	pid	process	target process
PID 2436 set thread context of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Standard Terms and Conditions for purchases.exe

pid process

4248 Standard Terms and Conditions for purchases.exe

pid	process
4248	Standard Terms and Conditions for purchases.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Standard Terms and Conditions for purchases.exeStandard Terms and Conditions for purchases.exe

pid	process
2436	Standard Terms and Conditions for purchases.exe
2436	Standard Terms and Conditions for purchases.exe
2436	Standard Terms and Conditions for purchases.exe
2436	Standard Terms and Conditions for purchases.exe
4248	Standard Terms and Conditions for purchases.exe
4248	Standard Terms and Conditions for purchases.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Standard Terms and Conditions for purchases.exeStandard Terms and Conditions for purchases.exe

description	pid	process
Token: SeDebugPrivilege	2436	Standard Terms and Conditions for purchases.exe
Token: SeDebugPrivilege	4248	Standard Terms and Conditions for purchases.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Standard Terms and Conditions for purchases.exe

pid process

4248 Standard Terms and Conditions for purchases.exe

pid	process
4248	Standard Terms and Conditions for purchases.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Standard Terms and Conditions for purchases.exe

description	pid	process	target process
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe
PID 2436 wrote to memory of 4248	2436	Standard Terms and Conditions for purchases.exe	Standard Terms and Conditions for purchases.exe

outlook_office_path 1 IoCs

Processes:

Standard Terms and Conditions for purchases.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe

outlook_win_path 1 IoCs

Processes:

Standard Terms and Conditions for purchases.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Standard Terms and Conditions for purchases.exe

C:\Users\Admin\AppData\Local\Temp\Standard Terms and Conditions for purchases.exe
"C:\Users\Admin\AppData\Local\Temp\Standard Terms and Conditions for purchases.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\Standard Terms and Conditions for purchases.exe
"{path}"
2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Standard Terms and Conditions for purchases.exe.log
Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
memory/2436-131-0x0000000007980000-0x0000000007F24000-memory.dmp

Filesize
5.6MB

Download
memory/2436-132-0x00000000074B0000-0x0000000007542000-memory.dmp

Filesize
584KB

Download
memory/2436-133-0x00000000075F0000-0x000000000768C000-memory.dmp

Filesize
624KB

Download
memory/2436-130-0x00000000002D0000-0x00000000003C2000-memory.dmp

Filesize
968KB

Download
memory/4248-164-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-168-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-140-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-142-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-144-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-146-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-148-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-150-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-152-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-154-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-158-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-156-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-160-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-162-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-134-0x0000000000000000-mapping.dmp

Download
memory/4248-166-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-135-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-170-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-172-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-174-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-176-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-178-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-180-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-182-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-184-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-190-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-188-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-192-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-194-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-196-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-198-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-186-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4248-645-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/4248-646-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

Filesize
40KB

Download
memory/4248-647-0x0000000007D00000-0x0000000007D50000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads